What specific header does DMARC use for alignment checks?

When getting started with DMARC, a common point of confusion is what specific header it uses for its alignment checks. The simple answer is that DMARC doesn't introduce a new, unique header for its checks. Instead, it leverages the most important header from a user's perspective: the From: header. This is the email address your recipients see in their inbox.

DMARC's primary job is to ensure that the domain in the From: header is the actual sender of the email. It achieves this by checking that the domains used for SPF and DKIM authentication are "aligned" with the From: header's domain.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

The From: header is the linchpin of the entire DMARC process. It represents the sender's identity as far as the end-user is concerned. If a scammer spoofs this address, the recipient might believe the email is from a trusted source. DMARC was designed specifically to prevent this by verifying that the technical authentication mechanisms (SPF and DKIM) point back to the same domain the user sees.

DMARC Manager says:

Visit website

The Header.From domain is the DMARC From field's central identity as the message's originator. End users use this field to identify the sender of a message, making it a crucial component for brand identity and security.

For an email to pass DMARC, it must first pass either SPF or DKIM authentication. Secondly, the domain used in the passed authentication check must align with the domain in the From: header. This is known as "identifier alignment". Let's break down how it works for both SPF and DKIM.

SPF authenticates the server sending the email. It does this by checking the domain in the email's Return-Path header (also known as the `Mail From` or `Envelope From`). For DMARC SPF alignment, the receiving server compares the domain in this Return-Path with the domain in the visible From: header.

Amazon Web Services, Inc. says:

Visit website

To check for SPF alignment, DMARC matches the Mail From or Envelope From domain with the From domain. Strict alignment is when the Mail From or Envelope From domain is an exact match for the From domain. Relaxed alignment is when the Mail From or Envelope From domain is a subdomain of the From domain.

• Strict Alignment (s): The domain in the Return-Path must exactly match the domain in the From: header. For example, if the `From:` header is `sender@example.com`, the `Return-Path` must also be from `example.com`.
• Relaxed Alignment (r): The domain in the Return-Path can be a subdomain of the From: header's domain. For example, if the `From:` header is `sender@example.com`, the `Return-Path` could be from `bounces.example.com`.

DKIM provides a cryptographic signature to verify that the message hasn't been tampered with. This signature is stored in the DKIM-Signature header and includes a domain tag (d=). For DMARC DKIM alignment, the receiving server compares the domain in this d= tag with the domain in the visible From: header.

Chargebee Docs says:

Visit website

With DKIM, alignment compares the value in the DKIM-signature domain field (d=) in the message header to the domain in the From address.

• Strict Alignment (s): The domain in the d= tag must exactly match the domain in the From: header.
• Relaxed Alignment (r): The domain in the d= tag can be a subdomain of the From: header's domain.

In summary, DMARC's power comes from this process of alignment. It connects the visible From: address that humans see with the underlying technical authentication headers that mail servers check. By requiring that these domains match, DMARC ensures that an email is not just authenticated, but that it is authenticated by the same entity it claims to be from, effectively stopping direct domain spoofing.